Submission note:
This page is a product-engineering disclosure draft, not legal
advice. The final App Store Connect and Google Play Console answers
must be confirmed against the release candidate, SDK versions,
enabled analytics, payment configuration, and actual account deletion
flow in the app.
1. Public Links for Store Forms
- Privacy Policy URL: https://baskettrainer.com/legal/privacy-policy.html.
- Account deletion URL: https://baskettrainer.com/legal/account-deletion.html.
- Terms URL: https://baskettrainer.com/legal/terms-and-conditions.html.
- Health and safety URL: https://baskettrainer.com/legal/health-safety-disclaimer.html.
- Open-source notices URL: https://baskettrainer.com/legal/open-source-notices.html.
2. Data Safety / App Privacy Mapping
| Store category | BasketTrainer examples | Purpose | Shared with |
|---|---|---|---|
| Personal info | Email, name, nickname, avatar/provider photo, role, language, public trainer profile. | Account creation, authentication, trainer/player/team workflow, support, public profiles when enabled by the user. | Service providers for hosting, auth, notifications, search, diagnostics, and payments. |
| Health and fitness | Training plans, workout completions, exercise parameters, test results, records, body-composition and InBody imports, Apple Watch workout-session state. | Deliver coaching, training, progress tracking, reports, watch sync, and user-requested body-composition analysis. | Assigned players, trainers, team staff, and processors needed to operate the feature. Not sold or used for ads. |
| User content | Messages, journal notes, voice notes, transcripts, attachments, training snapshots, public plan descriptions, uploaded images/videos. | Trainer-player communication, journaling, plan publishing, support, and AI-assisted cleanup/transcription when requested. | Assigned product participants and processors such as storage, AI, diagnostics, and media services. |
| Financial info and purchases | Public plan prices, Stripe Connect account identifiers, checkout status metadata, trainer billing reports. | Paid public plans, billing reports, payment status handling, dispute support. | Stripe and infrastructure providers. BasketTrainer should not store full card numbers. |
| Photos, videos, audio, files | Exercise media, public profile media, InBody PDFs/images, audio recordings, attachments, camera/QR scans. | Upload, scan, review, play, transcribe, attach, and publish user-directed content. | Storage, processing, AI/transcription where used, and assigned product participants. |
| Identifiers and diagnostics | Firebase auth ID, provider ID, push token, request IDs, IP address, user agent, app version, crash logs, Sentry/Firebase Crashlytics events. | Authentication, notifications, reliability, abuse prevention, support, debugging, service health. | Firebase/Google, Sentry, AWS, and backend infrastructure providers. |
| App activity | Feature usage, login/session state, viewed plans, training/session state, analytics events when enabled. | Operate the service, improve reliability, maintain coaching workflows, understand product usage. | Analytics, hosting, and diagnostics processors when enabled. |
3. Runtime Permissions and Platform Disclosures
| Platform permission or capability | Observed purpose in BasketTrainer | Store disclosure guidance |
|---|---|---|
| Camera | QR scanning, exercise/media capture, body-composition or attachment upload flows. | Disclose camera access and explain it in permission prompts. |
| Microphone / audio recording | Voice notes, journal audio, AI-assisted transcription or cleanup when requested. | Disclose audio collection as user content. Do not imply background listening. |
| Photo library / files | Upload attachments, exercise media, profile/plan images, InBody PDFs/images. | Disclose photos/videos/files collection when the user selects uploads. |
| Push notifications | Training reminders, assignment messages, team/trainer updates, app workflow alerts. | Requires user consent on supported platforms. |
| HealthKit / watch workout processing | Apple Watch companion workout runtime, timers, and training continuity. | Declare health/fitness use. Health data must not be sold, used for ads, or shared beyond the user-directed training feature. |
| Wear OS wearable APIs | Phone-watch synchronization, compact workout controls, workout state, timer cues. | Disclose watch companion behavior and data sync between phone and watch. |
| Advertising ID | The Wear OS manifest currently declares com.google.android.gms.permission.AD_ID. |
If no advertising or ads SDK uses this identifier, remove the permission before release or disclose the actual use in Google Play. |
| Local network | iOS local network description exists in the app plist. | Confirm whether current release needs it. Remove if unused, or disclose the user-facing reason. |
4. Apple App Store Review Checklist
- Privacy policy URL must be set for the app and should describe all collected data, health/fitness data, processors, retention, and deletion.
- App Privacy labels should mark data categories collected by the app, watch app, website-backed account, Firebase/Sentry analytics or crash reporting, and Stripe payment metadata when enabled.
- Apps with account creation should include an accessible in-app account deletion path, not only a support email.
- HealthKit/watch workout data must be used only for health, fitness, and training purposes, not advertising or unrelated profiling.
- The health and safety disclaimer should be reachable from app support, public web, and store review notes.
- If paid public plans are sold outside in-app purchase, confirm the current Apple rules for the exact content, user relationship, and jurisdiction before submission.
5. Google Play Checklist
- Complete Data safety with all collected/shared categories, purposes, encryption in transit, account deletion, and data deletion details.
- Set the account deletion web URL to https://baskettrainer.com/legal/account-deletion.html.
- Complete the Health apps declaration if Google Play classifies the app as health, fitness, exercise, or body-composition related.
- Verify whether the build requests Advertising ID. If the app does not use ads or ad measurement, remove the AD_ID permission and declare no advertising ID collection.
- Disclose camera, microphone, files/photos, notifications, and wearable companion use exactly as implemented.
- Make sure public privacy policy content is accessible without login and matches the data in the Play Console form.
6. Draft Store Positioning
- Ads: no advertising network is intentionally described in the current product documentation.
- Sale of data: BasketTrainer privacy docs should state that personal, health, and fitness data is not sold.
- Tracking across companies' apps/sites: only declare tracking if the release actually links data with third-party data for advertising or measurement under Apple/Google definitions.
- Encryption in transit: API and website traffic should be served over HTTPS. Confirm all production endpoints and media URLs before submission.
- Deletion: email deletion path is documented publicly; add/confirm in-app deletion for stricter store compliance.